From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-5347-listarch-libc-hacker=sourceware.cygnus.com@sources.redhat.com>
Received: (qmail 17903 invoked by alias); 1 Aug 2002 22:46:39 -0000
Mailing-List: contact libc-hacker-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:libc-hacker-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sources.redhat.com>
List-Help: <mailto:libc-hacker-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: libc-hacker-owner@sources.redhat.com
Received: (qmail 17884 invoked from network); 1 Aug 2002 22:46:38 -0000
Received: from unknown (HELO sunsite.mff.cuni.cz) (195.113.19.66)
  by sources.redhat.com with SMTP; 1 Aug 2002 22:46:38 -0000
Received: (from jakub@localhost)
	by sunsite.mff.cuni.cz (8.11.6/8.11.6) id g71MkZG08001;
	Fri, 2 Aug 2002 00:46:35 +0200
Date: Thu, 01 Aug 2002 15:46:00 -0000
From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>
Subject: [PATCH] xdr_array and calloc security fix
Message-ID: <20020802004635.Y20867@sunsite.ms.mff.cuni.cz>
Reply-To: Jakub Jelinek <jakub@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
X-SW-Source: 2002-08/txt/msg00002.txt.bz2

Hi!

2002-08-02  Jakub Jelinek  <jakub@redhat.com>

	* malloc/malloc.c (public_cALLOc): Check for overflow on
	multiplication.
	* sunrpc/xdr_array.c (xdr_array): Likewise.
	* sunrpc/rpc/types.h (mem_free): Add comment.
	Patch by Solar Designer <solar@openwall.com>.

--- libc/malloc/malloc.c.jj	2002-06-21 11:37:55.000000000 +0200
+++ libc/malloc/malloc.c	2002-08-02 00:58:16.000000000 +0200
@@ -3452,16 +3452,23 @@ public_cALLOc(size_t n, size_t elem_size
 {
   mstate av;
   mchunkptr oldtop, p;
-  INTERNAL_SIZE_T sz, csz, oldtopsize;
+  INTERNAL_SIZE_T bytes, sz, csz, oldtopsize;
   Void_t* mem;
   unsigned long clearsize;
   unsigned long nclears;
   INTERNAL_SIZE_T* d;
-
   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, __const __malloc_ptr_t)) =
     __malloc_hook;
+
+  /* size_t is unsigned so the behavior on overflow is defined.  */
+  bytes = n * elem_size;
+  if (bytes / elem_size != n) {
+    MALLOC_FAILURE_ACTION;
+    return 0;
+  }
+
   if (hook != NULL) {
-    sz = n * elem_size;
+    sz = bytes;
     mem = (*hook)(sz, RETURN_ADDRESS (0));
     if(mem == 0)
       return 0;
@@ -3473,8 +3480,7 @@ public_cALLOc(size_t n, size_t elem_size
 #endif
   }
 
-  /* FIXME: check for overflow on multiplication.  */
-  sz = n * elem_size;
+  sz = bytes;
 
   arena_get(av, sz);
   if(!av)
--- libc/sunrpc/rpc/types.h.jj	2001-06-25 10:34:46.000000000 +0200
+++ libc/sunrpc/rpc/types.h	2002-08-02 00:59:16.000000000 +0200
@@ -58,6 +58,10 @@ typedef unsigned long rpcport_t;
 
 #include <stdlib.h>		/* For malloc decl.  */
 #define mem_alloc(bsize)	malloc(bsize)
+/*
+ * XXX: This must not use the second argument, or code in xdr_array.c needs
+ * to be modified.
+ */
 #define mem_free(ptr, bsize)	free(ptr)
 
 #ifndef makedev /* ie, we haven't already included it */
--- libc/sunrpc/xdr_array.c.jj	2002-02-28 12:32:13.000000000 +0100
+++ libc/sunrpc/xdr_array.c	2002-08-02 01:00:39.000000000 +0200
@@ -45,6 +45,7 @@ static char sccsid[] = "@(#)xdr_array.c 
 #include <rpc/types.h>
 #include <rpc/xdr.h>
 #include <libintl.h>
+#include <limits.h>
 
 #ifdef USE_IN_LIBIO
 # include <wchar.h>
@@ -81,7 +82,11 @@ xdr_array (xdrs, addrp, sizep, maxsize, 
       return FALSE;
     }
   c = *sizep;
-  if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+  /*
+   * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+   * doesn't actually use its second argument anyway.
+   */
+  if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
     {
       return FALSE;
     }

	Jakub